From 4d4a42cd0344fac26baa6c4d5374ecec483f3f0c Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Tue, 15 Feb 2022 13:30:05 +0800 Subject: [PATCH] verify attributes Signed-off-by: Shiwei Zhang --- pkg/cose/signer.go | 4 ++-- pkg/cose/verifier.go | 25 +++++++++++++++++++++++-- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/pkg/cose/signer.go b/pkg/cose/signer.go index 0b6f99d..2a826c4 100644 --- a/pkg/cose/signer.go +++ b/pkg/cose/signer.go @@ -80,10 +80,10 @@ func (s *Signer) Sign(ctx context.Context, desc notation.Descriptor, opts notati 1: s.base.GetAlg().Value, // alg 2: []interface{}{3}, // crit 3: MediaTypeNotationPayload, // cty - "iat": time.Now().UTC(), + "iat": time.Now().Unix(), } if !opts.Expiry.IsZero() { - msg.Headers.Protected["exp"] = opts.Expiry.UTC() + msg.Headers.Protected["exp"] = opts.Expiry.Unix() } if err := msg.Sign(rand.Reader, nil, *s.base); err != nil { return nil, err diff --git a/pkg/cose/verifier.go b/pkg/cose/verifier.go index 32a367c..7fc3412 100644 --- a/pkg/cose/verifier.go +++ b/pkg/cose/verifier.go @@ -181,9 +181,30 @@ func (v *Verifier) verifyCOSE(verifier *cose.Verifier, msg *cose.Sign1Message) e return err } - // ensure required attributes exist. - if _, ok := header["iat"].(int); !ok { + // verify attributes + var issuedAt time.Time + if value, ok := header["iat"]; !ok { return errors.New("missing iat") + } else if unix, ok := value.(int); !ok { + return errors.New("invalid iat") + } else { + issuedAt = time.Unix(int64(unix), 0) + } + now := time.Now() + if issuedAt.After(now) { + return errors.New("signature used before generated") + } + + if value, ok := header["exp"]; ok { + unix, ok := value.(int) + if !ok { + return errors.New("invalid exp") + } + expiresAt := time.Unix(int64(unix), 0) + if !now.Before(expiresAt) { + delta := now.Sub(expiresAt) + return fmt.Errorf("signature is expired by %v", delta) + } } return nil }